DIY Security Testing and Auditing for Small Businesses
In large enterprises, the testing and auditing process is either handled by external contractors or by internal security specialists. In small businesses, security testing and auditing is usually handled by … well, nobody, really! A combination of apathy, shortage of in-house expertise and budgetary constraints mean that the process simply doesn’t happen in the majority of small businesses. And that’s a mistake. No matter how small your business is, you have valuable IT assets and you need to make sure that those assets are properly protected. You need to establish that your defences are up to par and you need to establish areas in which your security plan needs to be updated. And the only way you can reliably do that is by security testing and auditing.
For businesses which do not have the resources to contract to an external consultant, there are some easy-to-use, no-cost tools that can help:
The Microsoft Baseline Security Analyzer (MBSA). To quote Microsoft, MBSA “is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.” While Microsoft suggest that MBSA is a tool for IT professionals, it is in fact easy enough to be used by anybody with a reasonable grasp of IT. MBSA can be used to identify missing updates on networked computers, common misconfigurations and provides recommendations on remediation.
Microsoft Security Assessment Tool (MSAT). MSAT is based around a set of more than 200 questions about your infrastructure, applications, operations and people. The answers to the questions are collated and used to provide recommendations about measures that can be taken to improve your security.
Qualys’SANS Top 20 Scan. This scan “detects the 20 most dangerous vulnerabilities impacting networks worldwide” and, where appropriate, provides links to recommended fixes.
These tools will certainly not provide you with the comprehensive assessment that you would receive from a security consultant, but they will nonetheless provide you with valuable insight as to the effectiveness of your security strategy and steps that you can take to enhance your security.